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"The  downsizing  d  nulitaiy  forces  and  the  shrinking  defense  budget  have 
resulted  in  increased  reliance  on  C4I  interoperability.  The  C4I  for  the  Warrior 
concept  starts  with  the  warrior's  requizemems  and  inovides  a  roadmap  to  reach  the 
objective  of  a  seamle^  secure,  interoperable  global  C4I  network  for  the  wamex. 
The  C4I  for  the  Warrior  concept  will  give  the  battlefield  commander  access  to  all 
information  needed  to  win  in  war  and  wiU  provide  the  information  when,  where 
and  how  the  commaxuler  wants  it"  These  are  the  words  of  General  Colin  L 
Powell,  Chaiiman  of  the  Joint  Chieis  of  Staff.  They  reflect  his  views  on  the 
importance  of  Commarai,  Control,  Communications,  Computet;  and  Intelligence 
(C4I)  and  its  increased  inqxxtance  in  future  conflontations  on  the  battkfieid.  The 
C4I  for  the  Warrior  conc^s  focus  is  on  making  the  operarional  commanders  job 
easier.  One  facet  of  that  a{^xoach  is  allowing  the  warrior  to  request  or  "pull"  only 
the  inforniation  required  at  a  particular  time.  This  will  prevent  the  wmorfrom 
being  inundated  w^  multiple  reports,  fiom  multif^e  source^  requiring  extensive 
anah^  and  deoonfliction  wasting  precious  decision  tune.  "PuUing"tl^ 
infoimatioa  from  multiple  souices  and  "fusing"  it  into  one  simple  report  for  the 
operational  commander  has  significant  security  implications.  T^  study  examines 
the  C41  the  Warrior  concept,  multilevel  security,  and  accreditation  of  computer 
netwoiks.  R  is  an  anenqit  to  understand  vidiat  problems  lie  ahead  in  the  effort  to 
mcorporatemultLkvdsecuityintotheC4Iforthe  Warrior  concept  a^id  provide 
recommendations  addressing  those  problems. 


UST  OF  ILLUSTRATIONS 


Rgure  1-  Multilevel  Network. . 

Figure  2  -  Infosphcrc . 

Hguie  3  -  Fusion  Cericr  to  Warfighter. 
Rgupe  4  -  Manual  Relay . 


INTRODUCTION 


"At  the  height  of  the  Peraan  Oulf  conflict,  the  automated  message 
information  netwoik  passed  neady  2  million  packets  of  information  per  day 
through  gateways  (computer  networks)  in  the  Southwest  Asia  theater  of  c^^mmians. 
Efficient  management  of  information  inoeased  the  pace  of  combat  operations, 
improved  the  decision  making  process,  and  synchronized  various  combat 
capabilities.  The  technology  developed  to  suf^xxt  these  networks  proved  to  be  a 
vital  margin  that  saved  lives  and  helped  achieve  victory. 

Increased  reliance  on  Command,  Control,  Communications,  Computer,  and 
InteUigence  (C4I)  systems  is  a  fact  of  life.  As  we  downsize  the  military,  C4I  will 
become  even  more  ciudal  to  ensuring  we  provide  the  right  force,  at  the  right  place, 
at  the  right  time.  More  diiectly,  effective  C4I  is  absdutely  essential  to  support  our 
National  Military  Strategy.  "One  of  the  essential  elements  our  national  tmlitaiy 
strategy  is  the  ability  to  rapidly  assonUe  the  forces  needed  to  win  --  the  concept  of 

applying  decisive  force  to  overwhelm  our  adversaries  and  therein  tominate 
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conflicts  swiftly  with  a  minimum  loss  cf  life."  The  cancefA  df  C4I  for  the 
Warrior  provides  the  proper  focus  on  the  warrior  and  the  methods  of  {^{dying  C4I 
to  support  the  warrior  in  the  most  effective  manner  possible. 

The  purpose  of  this  paper  is  to  examine  how  C4I  for  the  Warrior  (C41FTW) 
can  be  implemented  securely  across  service  boundaries  thereby  supporting  the 
National  Military  Strategy.  The  paper  will  look  first  at  the  C41F1W  concept. 

Next,  it  will  discuss  the  meaniiig  of  multilevel  security  (MLS).  This  will  be 


followed  by  a  discussion  on  accreditation  of  computer  systems.  The  final  section 
will  deal  with  integrating  multilevel  security  into  the  C4IFrW  concept  and  provide 
recommendations  on  policy  and  teefanedogy  to  ensure  we  keep  the  proper  focus  on 
the  warrior. 

A  NEW  MILITARY  STRATEGY 

As  overaU  force  levels  draw  down  and  forward-deployed  forces  shrink^  our 
ability  to  project  our  power  will  underpin  our  strategy  more  than  cvct.  Wc  must  be 
aNe  to  deploy  substantial  forces  and  sustain  them  in  parts  of  the  world  where 
prepositioning  of  equipment  will  not  always  be  feasible,  where  adequate  bases  and 
infrastructure  may  not  be  available  to  support  our  forces  once  they  arrive.  Our 
strategy  q£  the  "come-as-you-are"  arma  qxmtaneous,  often  unpredictaNe  crises, 
requires  fully-trained,  highly-ready  forces  that  are  rapidly  ddiveraWe,  and  initially 
self-sufficient  Therefore,  C4I  systems  must  become  an  integral  part  of  a  strategy 
to  ensure  effective  command  and  control  and  integration  of  rapidly  defdqyed  force 
packages  This  is  where  the  concept  of  C41FTW  fits  in  so  welL 

C4IFORTHEWARRIOR(C4IFTW):  ITS  GENESIS 
A  short  time  aftor  his  arrival  as  Director,  Command,  Control, 
Communications  and  Computer  Systems  (J-6X  Joint  Staff,  VADM  Richard  C. 
Macke  began  to  develop  a  concept  to  focus  C4I  around  the  "warrior".  He  fleshed 
out  a  paper  underscoring  the  need  for  intmperability  and  defining  the  warrior's 
requirement  fora  "grouiul  truth"  picture  of  assigned  battle  space.  This  "ground 
truth"  would  allow  the  warrior  to  order,  respond  and  coordinate  horizontally  and 

vocally  to  the  degree  necessary  to  prosecute  Us  warfigiiting  mission  in  that  battle 
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space.  This  concept  had  to  be  focused  from  a  C4I  per^)cctive  and  the  capability 
C4I  could  provide  to  enhance  the  warrior's  knowledge  of  'ground  truth As  a 
result,  the  Vice  Director  J-6,  Major  General  Albeit  J.  Edmonds,  formed  a  "task 
force to  flesh  out  this  concept  with  a  focus  on  C4I  i^stems  and  architectures  in 
place  with  an  eye  toward  the  future.  The  author  was  a  member  of  that  initial  team. 

The  team's  task  was  to  take  VADM  Macke's  concept,  t^ainstonn  what  it 
meant  and  could  mean,  and  present  those  thoughts  to  V  ADM  Macke  in  a  briefing 
to  ensure  we  were  on  the  right  track.  The  two  week  effort  culminated  with  a 
direction  to  proceed  from  the  Admiral  along  with  the  establishment  of  a  new 
division  within  J-6  to  formalize  the  concepts  in  the  Admiral's  paper  and  the 
briefing.  The  new  division  is  the  Architecture  and  Integration  Division.  This 
division  began  the  arduous  task  of  reviewing  aU  known  C4I  architectures 
throughout  the  Department  of  Defense  (DOD)  and  using  that  review  to  establish 
how  to  go  about  develoi^  a  wanioar-focused  C4I  aicMtectuie  for  all  CINCs, 
Services,  and  Defense  agencies  to  use  in  developing  and  emi^qying  C4I  systems. 
The  major  tenets  of  that  architectural  concept  will  be  described  in  the  following 
paragrafdis. 

C4IFrW:  A  STRATEGIC  VISION  IN  C4I 
C4IFTW  sets  forth  a  concept  of  guiding  principles  and  provides  a  roadmap 
for  achieving  global  C4I  intooperafaility  that: 

-  will  allow  any  WarriOT  to  perfomi  any 
mission,  any  tim^  any  place 

-  is  responsive,  reliable,  and  secure 

-  is  affordable 
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The  concepc  provides  an  interoperaWc,  fully  integraicd  C4I  system  for  our  warriors 
to  assess,  respond,  letd,  and  fight- 

•  with  maximum  effectiveness 

-onaxrival 

-  in  unison  with  any  other  element, 
h  will  bring  to  the  waniois: 

-  accurate  and  complete  pictures  thdr 
battlespace 

<  timely  and  detailed  mission  objectives 

-  the  clearest  view  of  their  targets.  ' 

Intensive  analysis  revealed  there  was  no  single,  overarching  C4I  architecture 
from  which  all  supporting  Commander  in  Chief  (CINC),  Service,  or  Defense 
agency  C4I  aiclatectuzes  could  be  modeled.  As  a  result,  a  unifying  ctmcept  was 
essential  to  achieving  the  objective  of  a  global  C4I  syston  that  would  support  the 
requirements  of  the  warfighter,  consistent  with  national  security  {dans.  Through  a 
revolutionary  approach  and  in  an  evolutionary  manner,  this  concept  addresses  joint 
force  c^)erational  C41  interoperabili^  issues.  It  can  improve  the  joint  warfighter's 
abUity  to  manage  and  execute  crisis  and  contingency  operations  and  provide  a 
means  f<3r  unifying  the  many  heterogerjeous  service  C4I  programs  currently  bring 
pursued.  The  ccmcept  has  four  majcxr  components  that  are  critical  to 

understanding  how  it  can  help  the  waifighto-  lead  more  effectively  within  the 
confines  of  his  battlespace  and  assigned  missiotL  These  components  are  fusion, 

infospheie,  pre^darmed  essential  elements  of  information  (P2E2I),  and  over  the  air 
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updating  (OTAU). 

The  first  of  the  four  components  that  will  be  discussed  is  fusion.  As 
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addressed  eaiiier,  one  of  the  purposes  of  C4IFrw  is  to  tailor  infomiation  for  the 
warrior  and  allow  the  warrior  to  "pull"  the  required  informalion  when  it  is  needed. 
TTiis  will  ininimize,  and  hopefully  eliminate,  inundation  of  the  warrior  with 
infonnation  from  multiple  sources.  Fusion  is  one  method  to  eliminate  this 
inundation.  Fusion  is  the  process  of  receiving  and  integrating  all-source, 

multimedia  and  multiformat  infcnnatiofL  It  produces  and  makes  available  an 
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accurate,  complete  summary.  This  summary  is  as  timely,  more  concise,  less 
redundant,  and  more  useful  to  the  warrior  than  if  the  same  information  were 
received  directly  ftom  separate  multiple  sources.  In  effect,  the  warrior  requests  the 
information  that  is  fused  ftom  an  "infos{^ere".  A  dearer  understanding  oi  the 
infosjdiere  is  needed  to  fully  grasp  this  concept. 

The  infosphere  contains  the  total  combiiiation  of  information  sources,  fusion 

centers,  and  distribution  systems  that  represent  the  C4I  resources  a  warfighter 
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needs  to  pursue  his  operational  objectives.  The  warrior  essentially  plugs  in  to  the 
infosi^ere  and  pulls  out  the  required  infonnadon  whoi  needed  providing  timely 
and  relevant  infonnadon.  The  request  goes  out  to  any  and  all  sources  within  Uk 
infosphere  to  acquire  infonnadon  related  to  the  request  That  infonnation  is 
condensed  in  a  single  update  to  the  warrior  to  give  him  only  the  information 
required  in  the  format  required  with  little  or  no  need  for  human  evaluation  and  no 
confusion  from  conflicting  infonnation  from  multi|4e  sources. 

Due  to  the  stated  position  of  the  National  Military  Strategy,  the  warrior 
must  be  ready  to  fight  on  arrival.  Therefore,  warriors  need  certain  types  and 

amounts  of  information  with  them  for  their  systems  or  they  must  be  able  to  access 
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the  infosi^ere  immediaiely  upon  commenccmcni  of  an  operation.  The  waniOT 
must  take  some  of  this  information  to  the  battlefield  and  thus  minimize  time  to 
become  fully  operational  within  theater. 

Taking  some  information  to  the  battlefield  will  minimize  the  waniorr 
dependence  on  the  infospheie.  The  wanior  must  {dan  ahead  to  d^mnine  what 
elements  of  infonnation  axe  lequiied  upon  arrival  in  anticipation  that  hostilities 
may  begin  immediately.  This  information  is  described  as  preplanned  essential 
elements  of  infcamation  (P2E2I).  P2E2I  is  all  of  the  relevant  infonnation  the 
warrior  anticipates  that  will  be  needed  to  plan  and  carry  out  a  future  misrion.  This 
infonnation  will  comprise  the  initial,  static  database.  As  the  wanior  progresses 

toward  and  into  ccanbat,  this  data  will  be  refreshed  and  supplemented 

11 

automatically  from  decentralized  elemeius  of  the  infosi^ere.  Once  contact  is  made 
with  the  enemy,  the  battle^pace  changes  as  does  the  need  for  the  warrioii 
informatioiL  Any  infonnatioa  that  has  been  brought  to  the  battlefield  will  need 
updating. 

Ovcr-thc-Air-  Updating  (OTAU)  is  the  process  by  which  the  warrior's  daia- 
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bases  are  automatically  updated  by  elements  the  infosphere.  An  example  of 
this  may  be  a  technical  order  (maintenance  manual)  change  to  an  M- 1  tank.  The 
M-1  technical  order  wiU  be  (daced  on  a  computer  chip  within  the  tank  to  minimize 
lift  requirements  -  no  paper  tech  orders.  An  updated  order  in  the  factory  could  be 
loaded  into  a  sustaining  base  computer.  The  computer  could  amomatically 
transmit  the  change  only  information  into  the  info^hcre  and  to  the  warrior  at  the 

distant  end.  This  would  automatically  update  the  tank's  technical  order  computer 
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chip.  This  ensures  the  warrior's  force  has  the  most  curreni  information  available  to 
take  the  fight  to  the  enemy  while  making  lift  space  available  for  additional 
ammunition  and  other  supplies  by  eliminating  the  need  to  ship  paper  technical 
orders  to  the  front. 

C4IFTW  focuses  on  the  information  needs  of  the  warrior.  It  changes  the 
paradigm  on  how  information  is  def^oyed  and  how  the  battlespece  is  presented  to 
the  warrior.  This  concept  fits  well  with  the  need  for  total  interoperability  between 
the  services  and  supports  the  strategy  of  a  rapidly  deployaUe  contingency  force  to 
counter  regional  crises.  Being  aHe  to  provide  this  architecture  in  a  secure  fashion 
is  tremendously  difficult. 

THE  DEFENSE  DATA  NETWORK  -  AN  EXAMPLE  OF  HOW 
MULTILEVEL  SECURITY  CAN  HELP 

The  Defense  Data  Network  (DDN)  has  been  the  primary  means  of  computer 
communicatiems  for  DOD  since  1983.  As  the  Joint  Staff  Integrated  Data 
Communications  Officer  from  1990  until  1992,  the  author  became  intimately 
familiar  with  DDN. 

The  DDN  was  established  with  four  separate  n^orks  for  security  reasons. 
The  MiUtary  Network  (MILNET)  transports  UNCLASSIFIED  out  SENSITIVE 
(U)  infoimatioo.  Defense  Secure  Network  1  (DSNETl)  transpevts  SECRET  (S) 
informatiem;.  Defense  Secure  Network  2  (DSNET2)  transports  the  TOP  SECRET 
(TS)  information  cf  the  Worldwide  Military  Coimnand  Control  Communications 
System  (WWMCCS)  computer  network,  and  Defense  Secure  Network  3 

(DSNET3)  transports  TOP  SECRET  SPECIAL  COMPARTMENTED 
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INFORMATION  (TS/SCI)  for  the  Defense  Intelligence  Agency. 

Each  network  requires  separate  computers  that  are  cleared  to  process  infonnation 
for  that  paiticuiar  network.  A  warfighter  needing  access  to  the  TS/SCI  network 
and  the  U  netwOTk  would  have  to  operate  and  maintain  two  separate  computer 
systems  and  pay  to  support  two  separate,  DSNET3  and  MILNET,  communications 
networks.  Warfighters  needing  access  to  all  four  levels  of  information  would  need 
to  support  four  different  computer  systems  and  four  different  networks.  This  is 
called  the  "swivel  chair"  effect. 

This  situation  of  multiple  computer  systems  and  multiple  communications 
networks  is  intolerable  for  several  reasons.  Mu]ti[de  systems  are  costly.  Four  times 
as  many  systems  must  be  acquired  and  maintained,  eating  up  acquisition  and 
operation  funds.  Multi{de  acquisitioos  also  mean  muMiie  acquisition  efforts. 
Depending  on  the  dollar  threshold,  the  same  process  for  acquiring  one  computer 
system  may  be  repeated  many  times  over  merely  because  different  systems  must 
operate  at  different  and  sqiarate  classification  levels  for  security  reasons.  This  is  a 
huge  investmoit  in  manpow^  at  ail  levels  up  to  and  including  the  Vice  Chairman 
of  the  Joint  Chiefs  of  Staff  as  chairman  of  the  Joint  Requirements  Oversight 
Coimdl  (JROC). 

Expenditure  oi  monetary  and  manhour  resources  is  not  the  only  drawback. 
The  warfighter's  ability  to  gather  and  assimilate  infonnation  from  the  multiple 
sources  becomes  limited  at  best  with  the  definite  possibility  cf  mformatiaa 
overload  occurring.  Multilevel  security  is  required  to  eliminate  this  duplicative 
and  inefficient  operational  configuration. 
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MULTILEVEL  SECURITY  -  WHAT  IS  IT  AND  WHAT  DOES  IT  DO? 

A  computer  c^Tcrating  in  a  multilevel  security  mode  is  c^xrating  in  an 
environment  in  which  two  or  more  classiflcaticm  levels  of  infoimation  are 

fuocessed  simultaneously  even  though  some  users  (even  only  one)  are  not  cleared 
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for  all  levels  cf  information  processed.  A  multilevel  network  is  one  in  which 
scane  users  do  not  have  the  dearance  for  all  information  processed.  This  n^ork 
may  com^nise  a  mixture  dedicated  and  multilevel  components,  where  two 
more  differ  in  their  classifications  and  some  users  do  not  have  all  access  approvals.^ 
If  multilevel  security  is  implemented  appropriately  at  the  computer  ^ems 
and  communications  networks  levels,  then  all  separate  computer  networks  can  be 
merged  into  one,  processing  all  levels  of  information  simultaneously.  This 
drastically  reduces  costs  for  multiple  acquisitions,  separate  systems  operations,  and 
minimizes  the  "swivel  chaii^'  effea  mentioned  earlier.  As  an  example,  the  four 
separate  computer  and  communications  networks  d  DDN  could  be  merged  into 
one  multilevel  computer  and  communications  system: 


Multilevel  security  not  only  allows  for  the  merging  of  separate  systems 
processing  various  levels  d  classified  information,  it  will  also  assist  the  warfighter 
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in  his  effort  to  "pull"  and  "fuse"  infomiation- 


PuUing  and  fusing  infoimaticxi  will  make  the  waifighter^s  job  easier.  The 
warfighter  may  request  the  latest  battle  readiness  status  of  friendly  forces  in 
friendly  battlcspace.  The  query  will  be  entered  into  the  warfighter's  single  entry 
device  and  6e  sent  into  the  worldwide  computer  and  communications  system  called 
the  infosi^ere.  The  query  may  require  infonnation  be  "pulled"  from  computer 
systems  and  their  databases  ranging  in  classification  of  UNCLASSIFIED  for  parts 
availability  to  SECRET  for  forward  line  of  troops  location  to  SPECIAL 
COMPARTMENTED  INFORMATION  for  special  forces  preparing  to  jump  off 
behind  enemy  lines.  The  infospheie  collects  all  available  data  and  then  sends  it  to 
a  fusion  point  to  be  reduced  to  a  graph  or  chart  that  is  readily  usaNe  to  the 
warfighter.  An  example  of  this  process  is  shown  in  the  following  figures. 


TCRMINAI. 

Fisurt  3 
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fusion  center 


Understanding  the  C4IFTW  concept  is  not  enough-  It  must  be  implemented 
securely.  Understanding  how  computer  security  is  estaHished  is  paramount  to 
incorporating  MLS  into  C4IFTW. 

ACCREDITATION  AND  CERTIFICATION 

The  concept  of  C4IFTW  has  been  defined  along  with  the  meaning 
multilevel  security.  We  next  need  to  understand  how  a  system  is  approved  to 
operate  in  the  multilevel  security  mode.  A  discussion  of  technical  assessment,  risk 
analysis,  and  the  role  of  approving  systmn  operation  is  in  order. 

Department  of  Defense  (DOD)  policy  states  that  any  computer  system,  more 
commonly  referred  to  as  an  automated  information  system  (AIS),  that  processes 
classified,  sensitive  undassified,  or  unclassified  information  must  und^o  a 

i  £; 

technical  assessment  and  management  approval  before  it  is  allowed  to  operate. 

The  technical  assessment  establishes  the  extent  to  which  the  syston  meets  a  set  d* 
specified  security  requirements  for  its  mission  and  operational  cnvironmenL  The 
approval  formally  assumes  responsibility  for  c^)erating  at  an  acceptable  level  of 
risk.  The  technical  assessmoit  and  managemoit  approval  processes  are  called 
certification  and  accreditation,  re^)ectiveiy.  A  Designated  Approving  Authority 
(DAA)  grants  the  approval  to  operate  based  on  reconunendations  resulting  from 
the  technical  assessmen^.^ 

Approval  to  operate  is  the  official  management  authorizatiem  to  operate  an 
AIS:  (a)  in  a  particular  security  mode;  (b)  with  a  prescribed  set  of  countermeasures 

(e.g.,  administrative,  physical,  peisoimel,  ccmununications,  emissions,  and 
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computeT  security  controls);  (c)  against  a  defined  threat  and  with  stated 
vulnerabilities  and  countenneasuies;  (d)  with  a  given  operational  concept;  (e)  with 
stated  interconnections  to  other  AISs;  (f)  at  an  acceptaUe  level  of  risk  for  which 

the  accrediting  authority  has  formally  assumed  responsibility;  and  (g)  for  a 
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specified  period  of  time. 

The  cominehensive  technical  assessment  of  a  system's  security,  made 
in  si^poit  c£  the  accreditation  process,  that  estaldishes  the  extent  to  which  a 
particular  ^stem  meets  a  set  of  specified  security  requirements  for  its  mission  and 
operational  environment,  is  the  risk  assessment  This  should  result  in  identifying 
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residual  risk  as  well  as  a  recommendation  to  the  Designated  Ai^noving  Authority. 

The  process  identifying  and  analyzing  threats  and  vulnerabilities 
associated  with  an  information  system,  to  determine  the  risks  (potential  for  losses) 
and  to  identify  cost-effective  corrective  measures  is  risk  analysis.  Risk  analysis  is 
part  of  risk  managonent,  which  is  used  to  minixnize  risk  by  q)ecifying  security 
measures  commeiisurate  with  the  relative  values  of  the  resources  to  be  protected, 
the  vulnerabilities  of  those  resources,  and  the  identified  threias  against  them.  The 
method  should  be  apj^ed  tfaroi^hout  the  system  life  qrde.  When  applied  to 
system  design,  a  risk  analysis  aids  in  countomeasure  spedficatioiL  When  applied 
during  the  imi^onentation  phase  or  to  an  operational  system,  it  can  verify  the 

effectiveness  of  existing  countermeasures  and  identify  areas  in  which  additional 
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measures  are  needed  to  achieve  the  desired  level  of  security. 

As  a  part  of  the  technical  evaluation  process,  integrity  of  information  is  a 

critical  factor.  This  pertains  to  ensuring  that  data  continues  to  be  a  proper 
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representation  of  information,  and  that  information  processing  resources  continue 
to  perform  correct  processing  operations.  Another  objective  is  to  ensure  that 
information  retains  its  original  level  of  accuracy.  Data  integrity  is  that  attiitHite  of 
data  relating  to  the  preservation  cf  its  meaning  an  ^  compl^eness,  the  consistency 
of  its  representations,  and  its  coirespond^ce  to  what  it  represents.  System  integrity 

is  that  attribute  d  a  system  relating  to  the  successful  and  correct  operation  d 
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computing  resources. 

The  official  who  has  the  authority  to  decide  on  accepting  the  security 
countomeasures  that  will  provide  an  appropriate  level  of  data  and  sy^m  integrity 
prescribed  for  an  AIS  or  the  official  responsilde  for  issuing  an  accreditation 
statement  that  records  the  decision  to  accept  those  countermeasures  is  the 
Designated  Approving  Authority  (DAA).  The  DAA  must  be  at  least  at  the 
Wing  or  Brigade  level,  have  authority  to  evaluate  the  overall  mission  requirements 
of  the  AIS,  and  provide  definitive  directions  to  AIS  developers  or  owners  relative 
to  the  ri^  in  the  security  postrue  of  the  AIS.  When  there  are  multiple  systons  that 
must  intoconnect,  there  are  multiple  accreditors.  In  these  situations  the  sharing  of 
responsibilities  for  approving  system  interconiiection  and  opmttion  must  be 
carefully  defined  in  a  Memorandum  of  Agreement  (MOA).  The  DAA  makes  a 
determination  on  wh^her  or  not  to  allow  system  operation  based  on  an  assessment 
of  c^rerational  need  versus  risk.  The  system  is  then  approved  for  operation,  with  or 

without  stipulations,  but  in  any  event  must  be  revaluated  in  most  cases  within  a 
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three  year  period. 
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ACCREDITATION  AND  CERTIRCATION  ISSUES 

The  piocess  iKxreditatiaii  and  ceitification  is  both  complex  and 
cumbersome.  It  is  paramount  that  the  process  take  place  to  ensure  proper 
protection  d  computer  systems  and  the  infcnnation  they  contain.  Problem  areas  in 
the  process  need  to  be  highlighted. 

Policy  has  been  unable  to  keep  up  with  rapidly  advancing  techiK>logy.  For 
example,  current  policy  provides  little  guidance  for  the  range  of  systems  employed 
today.  This  range  includes  everything  from  large,  central  computer  facilities  to 
stand-alone  personal  computers  or  intelligent  workstations  often  tied  together  over 
local  area  networks  (LANs)  or  connected  via  complex  networks.  This  situation  of 
lagging  policy  is  unacceptaUe  if  the  concept  of  C4IFrw  is  to  work.  Project 
managers  have  been  unable  to  fully  implement  systems  in  the  required  operational 
conEguradon  due  to  inadequate  or  non-existent  security  policy  for  system 
development.  A  program  man^CT  begins  system  fielding  and  is  directed  to  cease 
because  sufildcmt  security  mechanisms  are  not  in  place.  Unfortunately,  there  is  no 
consolidated  policy  for  development  of  the  syston. 

The  systCTis  mentioned  above  have  significant  differences  in  functionality 
and  vulnerabilities,  and  current  pdicy  provides  little  guidance  to  DAAs  on 
determining  an  acceptaUe  level  of  risk  based  on  the  technology,  environmental 
factors,  and  operational  requirements.  Improved  guidance  is  needed  on  how  to 
certify  and  accredit  aU  types  of  systems:  networks,  distributed  systems,  systems 

with  integrated  workstations,  database  management  systems,  and,  in  particular, 
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multilevel  secure  ^sterns.  Current  policy  is  erften  inconsistent  across  DOD 
components.  These  inconsistencies  may  cause  difficulties  as  many  individually 
certified  accredited  i^stems  from  multiple  components  are  bcii^  mlcgralcd  into  a 
larger  system.  DOD  has  no  clear,  consolidated  security  guidance  and  there  is  no 
institutionalized  training  for  D  AAs,  certification  technicians,  or  computer  system 
admiiiistiators.^^ 

There  are  many  reasons  for  these  proUems.  One  reason  is  the  lack  of 
resources,  both  staffing  and  dollars,  to  perform  certification  and  accreditation. 
Another  reason  for  not  certifying  systems  relates  to  the  question  what  is  a 
reasonatde  effort  for  ceitificatiom  Another  area  not  addressed  by  current  pdicy  is 
the  associated  consequences  of  not  accrediting  a  systenL  Many  systems  are 
operating  today  without  accreditation  and  there  is  no  enforconent  mechanism  in 
place  to  ensure  this  problem  is  corrected.  Uniil  DOD  ensures  all  computer  systems 
are  properly  accredited,  they  are  vulnoable  to  exploitatioiL  Even  if  DOD 
identifies  these  non-secure  systems,  there  are  no  resources  to  make  the 
coneclicais.^^ 

The  final  accreditation  and  certification  issue  to  be  addressed  is  acceptable 
level  of  risk.  Part  oS  the  accreditation  decision  is  the  acceptance  of  a  given  level  of 
risk  against  a  defmed  threat.  The  DAA  must  balance  the  risk  of  disclosure,  loss  or 
alteration  of  information,  the  availability  of  tl»  system  based  on  the  vulnerabilities 
identified  by  the  certification  process,  aiul  the  threat  that  these  vulnerabilities  may 
be  exfdoited  in  the  specific  environment  in  which  the  syston  is  being  used. 

With  regard  to  threat,  DAAs  in  general  are  not  sufficiently  aware  of  ^)ecific 


national,  regional,  and  environmental  threat  data  that  is  needed  to  make  decisions 
regarding  acceptable  risk.  Risk  must  also  be  balanced  against  operational 
requirements  mandating  acceptance  of  higher  risk,  such  as  during  a  crisis  situation. 
An  example  is  a  command  that  requires  high-speed  data  transfer  between  systems 
with  differing  security  levels.  MLS  functionality  is  needed,  but  the  technology  to 

support  it  is  not  available.  A  real-wodd  situation  that  needs  to  be  addressed  by 
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policy  follows. 

THE  ARMY  TACTICAL  PACKET  NETWORK; 

A  STUDY  IN  MLS  FRUSTRATION 
The  explosion  of  computer  technology  development  and  its  use  on  the 
battlefield  called  for  the  extension  of  DDN  and  all  computer  systems  it  supports  to 
the  battlefield  (echelons  Corps  and  below).  CongressioDal  direction  to  ensure 
tactical  forces  have  computer  communications  networks  similar  to  DDN  within 

theater  and  access  to  DDN  out  of  theater,  highlight  the  visibility  and  level 
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commitment  to  ensure  computer  ^stem  access  for  the  warfighter. 

The  Army's  approach  to  providing  this  capability  is  to  include  packet  data 
commumcatioos  equipment  similar  to  that  used  in  DDN  in  their  tactical 
communicatiofis  system.  Mobile  Subscriber  Equipment  (MSE  -  essentially  a 
tactical  cellular  telephone  system  that  provides  both  voice  and  data/computer 

communications  capability).  This  effext  is  named  the  Tactical  Packet  Network 
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(TPN). 

The  warfighter  lequiies  access  to  computer  systems  located  at  sustaining 
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bases  lo  order  supplies,  gather  imelligence  inforaiation,  and  send/receive 
messages  to  name  just  a  few  applications.  'Ilus  requirement  calls  for  an  automated 
interface  bctweoi  the  TPN  and  DDN  which  will  allow  the  warfighter  to  exchange 
information  wilh'the  sustaining  base  environment.  The  focus  is  on  developing  a 

sedution  that  will  not  place  the  burden  for  the  TPN  to  DDN  connection  on  the 
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warfighter. 

The  currently  approved  TPN  security  configuration  does  not  satisfy  all 
waifighting  requirements.  When  initially  conceived,  the  TPN  was  to  eperate  at  the 
SECRET  level  only.  This  is  the  same  classification  level  at  which  MSE  opermes. 
Unfortunately,  this  configuration  does  not  address  a  major  Army  requirement  -  to 
connect  to  the  UNCLASSIFIED  portion  of  DDN,  MILNET. 

Operations  DESERT  SHIELD  and  DESERT  STORM  clearly  demonstrated 
the  need  for  connectivity  from  the  tactical  level  back  to  the  sustaining  base  for 
information  such  as  parts  ordering  or  status,  pay  reccxd  information,  health  data 
bases  for  treating  illnesses,  etc.  The  computer  systems  that  provide  this 
information  are  on  the  MILNET.  Thoefore,  the  Army  has  a  requirement  to 
ccnmect  their  tactical  computer  systems  to  the  SECRET  and  UNCLASSIFIED 

portions  of  DDN  simultaneously  to  support  the  warfighter  at  both  the  strategic  and 
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operational  levels. 

Simultaneous  connecticsis  to  UNCLASSIFIED  and  SECRET  systems 
creates  a  significant  security  problem.  While  the  MLS  concept  would  allow  such  a 
connection,  the  technology  and  policy  do  not  yet  exist  to  implement  this 

configuration  of  ccanputer  networks  One  of  the  greatest  security  threats  from  this 
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type  of  connection  comes  from  computer  system  intruders,  commonly  referred  to 
as  "hackers".  Hackers  are  very  much  like  the  young  boy  in  the  movie  "War 
Games"  that  broke  in  to  the  computer  system  controlling  the  nation's  nuclear 
missiles.  Hackees  employ  rudimentary  computer  skills  and  public  networks  trying 
to  gain  access  to  a  computer  system  that  uses  poor,  if  any,  computer  security 
mechanisms.  Once  in  these  systems,  hackers  can  f^ant  computer  programs  called 
viruses  that  can  erase  data  ^es  compl^ely  or  insert  commands  that  will  tell  the 
computer  to  send  specific  informadon  to  them  autom^cally  whenever  it  is  entered 
into  the  ^stem. 

This  risk  is  real.  In  the  hook  The  Cuckoos  Egg,  author  Cliff  Stc^  describes 
how  he  captured  a  computer  spy  ring  in  Hanover,  Germany  breaking  m  to  United 
States  government  computers.  These  computer  spies  had  access  to  ^sterns  such  as 
those  at  White  Sands  Missile  Range,  Space  Systems  Division,  and  Redstone 
Arsenal.  The  hackers  gained  access  to  these  systems  through  a  connecdon 
between  the  UNCLASSIFIED  pardon  of  DDN,  MILNET,  and  the  general  puWic's 

computer  network  systems.  This  global  networking  of  computer  ^ems  is 
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commonly  referred  to  as  the  INTERNET. 

While  the  risk  is  real,  the  need  for  ccmnecting  government  and  public  sector 
computers  is  real  as  wcH.  This  ccmnecdon  is  required  for  govemm«it  computers 
to  communicate  with  computers  supporting  commocial  tran^portadon  enterprises 
such  as  rail,  trucking,  and  shipping.  In  addition,  DOD  research  laboratories  use  the 
conneedan  to  exchange  information  with  civilian  counterparts  that  are  on  coitract 
to  assist  in  DOD  programs.  The  risk  was  deemed  acceptaUe  until  the  requirement 
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to  simiiltancously  connect  networks  processing  different  d^^^lcaiions  oi 
information  arose. 

Hie  Army  has  a  real  need  to  connect  its  TPN  to  both  the  SECRET  and 
UNCLASSIFIED  networks  df  DDN.  Cost  constraints  prdiibit  funding  erf  two 
ndworic^  one  that  would  process  UNCLASSIFIED  information  and  the  other  that 
would  process  SECRET  information.  Therefore,  while  the  Army  is  trying  to  move 
in  the  direction  of  C41FTW,  the  lack  of  MLS  technology,  focused  and  prqperiy 
coordinated  DOD  pdicy  and  procedures  in  the  field  prevents  simultaneous 
connections  between  SECRET  and  UNCLASSIFIED  n^works.  The  only  real 
solution  is  to  connect  to  only  one  DDN  system  and  relay  information  to  the  other 


WHAT.NEEDS  TO  BE  DONE? 

Clear  and  focused  initiatives  facilitating  rapid  employment  of  current 
technology  with  an  eye  toward  evolution  aie  lequiied.  Required  initiatives  can  be 

broken  down  into  three  main  categories  of  MLS  technology  insertion,  training,  and 
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security  guidelines  aiul  improvements. 

While  on  the  Joint  Staff  the  author  worked  closely  with  the  author  of  the 
MLS  Target  Architecture  and  Implementation  Strategy.  The  major  focus  of  this 
document,  in  the  near  term,  is  technology  insertion  at  two  Unified  Command 
locatitms  -  United  States  Transportation  Command  (USTRANSCOM)  and  United 
States  C«itral  Command  (USCENTCOM).  MLS  technology  is  being  inserted  into 
the  AIS  ^sterns  supporting  the  two  Unified  Command  headquarters.  While 
Unified  Command  focus  is  essential  to  supporting  the  warfighting  misacm,  it  does 
not  require  MLS  insertion  be  limited  to  Unified  Command  headquarters. 

RECOMMENDA  nON:  MLS  tecimdogy  implementation  in  existing 
communications-computCT  systems  must  remain  focused  on  the  warfighter  but  not 
limited  to  the  Unified  Command  headquarters  locations  identified  above.  The 
MLS  program  <^ce  at  the  Defense  Information  Systems  Agency  (DISA)  must 
take  the  lead  to  map  out  where  and  how  emerging  MLS  technology  may  be 
emidpyed  at  echelons  Corps  and  below  in  the  Army  and  equivalent  levels  in  other 
Services.  DISA,  in  consultation  with  the  Naticmal  Security  Agaicy  (NS  A),  the 
Joint  Staff,  and  the  Army  should  map  out  how  existing  and  em^ging  MLS 
techndogy  can  be  used  to  satisfy  the  Army  requirement  to  connect  the  TPN 
simultaneously  to  SECRET  and  UNCLASSIFIED  networks.  This  effort  will 
include  architecture,  policy,  and  procedure  development  as  well  as  methods  for 
accreditation  and  certificatioiL  Other  systems  to  be  included  are  the  Integrated 
Tactical -Strategic  Data  Network  and  the  Defense  Message  System.  This  effort 

should  be  completed  NLT  1  September  1993, 
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Training  is  ^iker  area  where  increased  emphasis  will  enhance  DOD's 
aWity  to  incorporate  MLS  into  the  C41FTW  concept.  There  is  no  standardized 
requirement  for  training  DAAs  or  ceitificaticin  technicians  across  DOD  to 
ensure  all  im<kTStand  how  to  best  evaluate  the  security  posture  of  an  AIS. 

RECX5MMENDATION:  The  Defense  Information  Systems  Security 
Program  (DISSP)  in  conjimction  with  NSA,  DIA,  the  Joint  Staff,  DIS  A  and  the 
Services  and  Defense  agencies,  should  develop  training  modules  for  agencies  and 
individuals  responsible  for  system  accreditation  and  certification.  Training 
programs  will  vary  in  length  and  level  of  intensity  ranging  from  broad,  overarching 
reqiriicmenis  for  DAAs  to  very  spedAc  and  technically  oriented  training  few 
system  certiHars.  This  training  must  be  institutioiialized  to  erasure  system  and 
informational  integrity  are  not  jeopardized  as  we  imacooncct  systems  processing 
iirformaiion  of  differing  security  levels.  Tiaimng  programs  are  to  be  in  {rfacc  no 
later  than  1  September  1993.  Modules  will  be  developed  for  levels  of 
responsibility  ranging  from  the  President  to  the  security  officer  for  individual 
workstations. 

The  thiid  and  final  major  area  to  be  addressed  is  security  guidelines.  As 
DOD  began  cormecting  the  UNCLASSIFIED  portion  of  DDN  with  the  TOP 
SECRET  DOD  messaging  system  (AUTODIN)  many  questions  on  how  to  make 
tlie  secure  cormections  arose.  Given  the  lack  of  specific  guidance,  the  Defense 
Message  System  Security  Policy  WOTking  Group  (SPWG)  took  on  the  task  to  draft 
such  guidance  and  structure  a  process  to  ensure  the  connections  were  made  with  an 
acceptable  level  of  risk. 
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RECOMMENDATION:  The  DISSP  should  lake  on  the  task  lo  clearly 
delineate  what  the  technical  and  procedural  policies  are  to  make  such  connections 
securely  and  what  actions  are  required  in  all  stages  from  concept  to 
implementation  to  satisfy  these  requirements.  To  date,  all  effoits  have  focused 
only  on  the  Defense  Message  System  and  do  not  provide  a  general,  hroad-hrush 
approach.  Guidance  must  be  developed  and  distributed  for  all  possible  AlS 
connections  no  later  than  1  September  1993. 

CONCLUSION 

Operations  DESERT  SHIELD  and  DESERT  STORM  cleariy  demonstrated 
our  need  for  effective  C4I  to  mass  force  and  defeat  an  memy  swiftly  and 
decisively.  Our  new  national  strategy  wiU  be  implemented  in  an  environment  of 
dwindling  defense  dollars  ,dec]inmg  force  structure,  and  the  use  of  forward 
presence  versus  forward  deterrence.  This  environment  will  make  a  swift,  decisive 
victory  an  even  more  difncult  task  for  U.S.  forces  to  achieve.  The  concept  of 
C4IFTW  and  its  focus  on  warfighting  are  paramount  to  maximizing  use  of  what 
rescHuces  will  remain  afta  budg^  cuts  and  force  restructuring. 

The  concept  of  C4IFTW  will  remain  just  that,  a  concept,  unless  MLS 
technology  can  be  inserted  into  existing  systems  to  facilitate  fusion  of  informaticm 
and  formation  of  the  wanioTs  groimd  truth  picture  of  battlespace.  Without  MLS, 
the  warfighter  will  not  be  aUe  to  pull  information  and  have  it  shaped  and  presented 
promptly  and  in  a  fcmnat  easily  understood,  implementation  of  the  three 
recommendations  in  this  paper  will  begin  implementation  of  MLS  into  existing 
systems  and  evolution  toward  the  C4IFrw  concept. 
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